Getting web authentication right a best-case protocol for the remaining life of passwords

Joseph Bonneau

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

We outline an end-to-end password authentication protocol for the web designed to be stateless and as secure as possible given legacy limitations of the web browser and performance constraints of commercial web servers. Our scheme is secure against very strong but passive attackers able to observe both network traffic and the server's database state. At the same time, our scheme is simple for web servers to implement and requires no changes to modern, HTML5-compliant browsers. We assume TLS is available for initial login and no other public-key cryptographic operations, but successfully defend against cookie-stealing and cookie-forging attackers and provide strong resistance to password guessing attacks.

Original languageEnglish (US)
Title of host publicationSecurity Protocols XIX - 19th International Workshop, Revised Selected Papers
Pages98-104
Number of pages7
Volume7114 LNCS
DOIs
StatePublished - 2011
Event19th International Security Protocols Workshop - Cambridge, United Kingdom
Duration: Mar 28 2011Mar 30 2011

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume7114 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Other

Other19th International Security Protocols Workshop
CountryUnited Kingdom
CityCambridge
Period3/28/113/30/11

Fingerprint

Password
Web Server
Authentication
Servers
Password Authentication
Network protocols
Forging
Authentication Protocol
Public key
Network Traffic
Web browsers
Server
Attack
World Wide Web
Life
Resistance

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Cite this

Bonneau, J. (2011). Getting web authentication right a best-case protocol for the remaining life of passwords. In Security Protocols XIX - 19th International Workshop, Revised Selected Papers (Vol. 7114 LNCS, pp. 98-104). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7114 LNCS). https://doi.org/10.1007/978-3-642-25867-1_8

Getting web authentication right a best-case protocol for the remaining life of passwords. / Bonneau, Joseph.

Security Protocols XIX - 19th International Workshop, Revised Selected Papers. Vol. 7114 LNCS 2011. p. 98-104 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 7114 LNCS).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Bonneau, J 2011, Getting web authentication right a best-case protocol for the remaining life of passwords. in Security Protocols XIX - 19th International Workshop, Revised Selected Papers. vol. 7114 LNCS, Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 7114 LNCS, pp. 98-104, 19th International Security Protocols Workshop, Cambridge, United Kingdom, 3/28/11. https://doi.org/10.1007/978-3-642-25867-1_8
Bonneau J. Getting web authentication right a best-case protocol for the remaining life of passwords. In Security Protocols XIX - 19th International Workshop, Revised Selected Papers. Vol. 7114 LNCS. 2011. p. 98-104. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). https://doi.org/10.1007/978-3-642-25867-1_8
Bonneau, Joseph. / Getting web authentication right a best-case protocol for the remaining life of passwords. Security Protocols XIX - 19th International Workshop, Revised Selected Papers. Vol. 7114 LNCS 2011. pp. 98-104 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).
@inproceedings{b3fa4a1b27ee4cb7bc13151f1aa46ca4,
title = "Getting web authentication right a best-case protocol for the remaining life of passwords",
abstract = "We outline an end-to-end password authentication protocol for the web designed to be stateless and as secure as possible given legacy limitations of the web browser and performance constraints of commercial web servers. Our scheme is secure against very strong but passive attackers able to observe both network traffic and the server's database state. At the same time, our scheme is simple for web servers to implement and requires no changes to modern, HTML5-compliant browsers. We assume TLS is available for initial login and no other public-key cryptographic operations, but successfully defend against cookie-stealing and cookie-forging attackers and provide strong resistance to password guessing attacks.",
author = "Joseph Bonneau",
year = "2011",
doi = "10.1007/978-3-642-25867-1_8",
language = "English (US)",
isbn = "9783642258664",
volume = "7114 LNCS",
series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",
pages = "98--104",
booktitle = "Security Protocols XIX - 19th International Workshop, Revised Selected Papers",

}

TY - GEN

T1 - Getting web authentication right a best-case protocol for the remaining life of passwords

AU - Bonneau, Joseph

PY - 2011

Y1 - 2011

N2 - We outline an end-to-end password authentication protocol for the web designed to be stateless and as secure as possible given legacy limitations of the web browser and performance constraints of commercial web servers. Our scheme is secure against very strong but passive attackers able to observe both network traffic and the server's database state. At the same time, our scheme is simple for web servers to implement and requires no changes to modern, HTML5-compliant browsers. We assume TLS is available for initial login and no other public-key cryptographic operations, but successfully defend against cookie-stealing and cookie-forging attackers and provide strong resistance to password guessing attacks.

AB - We outline an end-to-end password authentication protocol for the web designed to be stateless and as secure as possible given legacy limitations of the web browser and performance constraints of commercial web servers. Our scheme is secure against very strong but passive attackers able to observe both network traffic and the server's database state. At the same time, our scheme is simple for web servers to implement and requires no changes to modern, HTML5-compliant browsers. We assume TLS is available for initial login and no other public-key cryptographic operations, but successfully defend against cookie-stealing and cookie-forging attackers and provide strong resistance to password guessing attacks.

UR - http://www.scopus.com/inward/record.url?scp=84855772545&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=84855772545&partnerID=8YFLogxK

U2 - 10.1007/978-3-642-25867-1_8

DO - 10.1007/978-3-642-25867-1_8

M3 - Conference contribution

SN - 9783642258664

VL - 7114 LNCS

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 98

EP - 104

BT - Security Protocols XIX - 19th International Workshop, Revised Selected Papers

ER -